Authors

Topics

Flawed Unsubscribes, No Proof of Consent Trip Up Porter Airlines in CASL Enforcement

June 29, 2015

The Canadian Radio-television and Telecommunications Commission (“CRTC”) announced that Porter Airlines Inc. has agreed to pay $150,000 as part of an undertaking for alleged violations of Canada’s anti-spam legislation.

A company caught in the CASL crosshairs can pay the penalty assessed by the CRTC, make written representations (in aid of reducing such penalty), or enter into an “undertaking” with the CRTC on the issue. The CRTC notes that Porter Airlines voluntarily entered into an undertaking, and the undertaking appears to have been entered into prior to the issuance of a Notice of Violation. If an undertaking is entered into prior to a Notice of Violation being issued, no such Notice will issue. This appears to be the situation here.

However, as is evident, the CRTC will issue a media release whether or not a Notice of Violation is issued. Businesses concerned about reputational impact of a CASL investigation may not have many options once an enforcement proceeding has begun.

The Proceeding

The investigation spanned the activities of Porter Airlines between July 2014 (when CASL first came into force) and April 2015. The CRTC alleges Porter Airlines sent “some” commercial emails that:

did not contain an unsubscribe mechanism;

did have an unsubscribe mechanism, but such mechanism was “not clearly or prominently set out”;

failed to honour, within 10 business days, requests from some recipients to unsubscribe from receiving future commercial emails; and/or

did not provide the complete contact information as required by the law.

For certain other emails sent between July 2014 and February 2015, the CRTC alleges that the company was “unable to provide proof that it had obtained consent for each electronic address that received its commercial emails.”

The CRTC provided no information on the number of complaints received, or the number of allegedly infringing emails that were the subject of the investigation.

As part of the undertaking, Porter Airlines undertook to improve its existing compliance program, which will include increased training and education for staff and improved corporate policies and procedures. The CRTC noted that “[o]nce made aware of the investigation by the CRTC, Porter Airlines was cooperative and immediately took corrective actions to comply with the legislation”.

Guidance for Business

Proof of consent continues to be an issue for some businesses, with companies often relying on general policies as evidence of appropriate consent. Businesses would be wise to review the completeness of their current consent documentation processes, which should include specific, detailed documentation of each consent received. Companies may want to consider conducting a “spot audit” to determine if they could provide such documentation, and do so in a timely manner. As the CRTC notes in its release, “[s]ome businesses are under the mistaken impression that they are compliant with the law by relying on general business practices or policies as proof of consent for the majority of the electronic addresses to which they send their commercial emails. This is simply not the case.”

Businesses should also revisit their unsubscribe mechanism to confirm that requests to unsubscribe are being actioned within the required 10 business days. This will be particularly important for those businesses which have outsourced this marketing function to suppliers; confirmation of appropriate unsubscribe mechanisms may require a business to invoke its audit rights under an agreement with such a supplier. As before, robust documentation of unsubscribe requests and actions should be maintained (and if a supplier is involved, this requirement should be a term of any applicable services agreement).

Disappointingly, the CRTC did not provide any further comment on exactly why Porter Airlines’ unsubscribe mechanism was “not clearly or prominently set out”. Was this a case of the font being too small? Having to click through too many pages? Forcing customers to log in to an account prior to unsubscribing? With no clear guidance from the CRTC on this, businesses would be well advised to approach this issue conservatively.